Adding a pam configuration file

[alba4k]

This pull request would make hyprlock use it's own pam configuration file instead of the su one

This allows the user to include random pam services into it without touching stuff required by other programs.

By default, this just includes the /etc/pam.d/login configuration, which contains, by default:

#%PAM-1.0
auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login
password   include      system-local-login

Basically just asks for a password.

Creating a custom pam configuration is exactly what #4 is asking for, and that issue is therefore fixed by this PR

On a sidenote, I'm not really sure about this line in CMakeLists.txt:

# [...]
install(FILES "pam/hyprlock" DESTINATION "/etc/pam.d")

Is this the best way to do that? I'm not sure if using an absolute path is the best approach, but I didn't find anything better. Of course it can still be modified by using DESTDIR

[vaxerski]

all good just need @fufexan to fix nix nix fix pls fix nix nix fix

[alba4k]

Was about to ping but wasn't 100% completely sure if it was just me being me

[vaxerski]

also I think trying su if regular fails would be a nice touch too.

Don't lock the user out :(

[alba4k]

login already includes a ton of stuff, that file not working would mean the user is already locked out of his system anyway (since /bin/login wouldn't work), ergo there would be bigger issues than hyprlock not unlocking.

This is the same approach swaylock and i3lock use.

[alba4k]

On a sidenote, I managed to SIGSEGV hyprlock using my modified login file:

#%PAM-1.0
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       sufficient   pam_fprintd.so
auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login
password   include      system-local-login

To do this I would press enter on an empty password, then the fingerprint auth will start. Once fprintd times out tho, hyprlock just terminates. Swaylock (yeah, sorry, that's the obvious comparison) will just restart the authentication. Should I open a different issue for that?

Again, this is not related to this PR in particular but moreso to using fprintd

[fufexan]

@alba4k what about CMAKE_INSTALL_FULL_SYSCONFDIR?
In any case we can include -DCMAKE_INSTALL_SYSCONFDIR=/etc in the readme build command, but it should already exist either way.

[alba4k]

Sorry for deleting, added it as a comment to the suggestion. CMAKE_INSTALL_FULL_SYSCONFDIR doesn't work either, should I just add it to the README?

[fufexan]

LGTM

[vaxerski]

login already includes a ton of stuff, that file not working would mean the user is already locked out of his system anyway (since /bin/login wouldn't work), ergo there would be bigger issues than hyprlock not unlocking.

This is the same approach swaylock and i3lock use.

My logic was more like someone forgor 💀 to copy the file.

[alba4k]

oh so in hyprlock, in case the file is not found. That makes sense.

[PaideiaDilemma]

As a nix user I had to do "security.pam.services.hyprlock = {};" for this to work.
Maybe that should be mentioned in the hm module like swaylocks hm module does.

[alba4k]

@fufexan

[vaxerski]

it's your fault for not fallbacking to su

[alba4k]

also I think trying su if regular fails would be a nice touch too.

@vaxerski looking into that right now. pam_start seems to return 0 regardless of whether the file exists or not, should I just manually check?

I'd just leave everything as-is tbh, as that is what every other program would usually do (again, take swaylock as an example).

[vaxerski]

why not try regardless if any fail

[fufexan]

@fufexan

ye?

[alba4k]

ye?

#115 (comment)
Not familiar with nix stuff

[alba4k]

why not try regardless if any

Because I'd have no idea how to implement that in the existing code, having never worked with pam myself :P

[fufexan]

@alba4k done in 97548ec.

[alba4k]

ping @PaideiaDilemma not me ahah

[vaxerski]

I swear to god amma revert this, I added the pam file and yet STILL can't login

[vaxerski]

why did you make the pam file 600 ffs

[vaxerski]

added su fallback in f9fe60c

[Jackaed]

Can we make the su fallback optional @vaxerski? I'm trying to configure hyprlock to not try and use fprintd, despite the fact that my su does trigger fprintd auth, but even if I remove it from the hyprlock PAM config, if I put in an incorrect password, it still calls fprintd and then I have to wait for that to timeout before I can put a new attempt in.

I'm not convinced that having su as a fallback by default is a good idea in general, if people need that functionality they can just include their su pam file within the hyprlock pam file. I'm yet to see any similar projects that behave similarly to hyprlock in this regard.

[alba4k]

When you input a wrong password you get prompted for fingerprint but that likely has nothing to do with your su, rather with your hyprlock config

I believe su is only used when hyprlock can not be used, not when it fails to authenticate

[Jackaed]

I believed that to be the case as well, but fprint is not in my PAM config in /etc/pam.d/hyprlock, and removing fprint from my su pam configuration causes the system to no longer unlock with my fingerprint. I get this output from hyprlock when inputting an incorrect password:

[ERR] auth: Authentication failed for hyprlock
[ERR] auth: Authentication failed for su

Neither of these errors occur if I just input the correct password. I haven't looked at the code, but based on this, it seems like it uses su as a fallback if the unlock attempt wasn't successful.

Fortunately I have root user disabled anyways so I can just remove fingerprint auth from su and keep it on sudo, so it's not actually an issue for my use case, but I still think this is a questionable way of doing things.

NOTE: I'm only on version 2, this may work differently on version 3, v3 has only just been put in nixpkgs so I'll be able to test this tomorrow probably.

[PaideiaDilemma]

Guys the latest git version does not have a su fallback anymore. You can specify the pam module used by hyprlock in the config. Check the wiki :)

[alba4k]

su is still used as fallback btw

[bvr-yr]

su is still used as fallback btw

really? no fallback for me, I'm getting faillocks like intended.
What is not intended, faillock also happens with grace enebled. @PaideiaDilemma that's a bug or smth wrong on my end with pam?

[PaideiaDilemma]

su is still used as fallback btw

It is, but not at time of authentication, but at startup.
From the wiki:

If the module isn’t found in /etc/pam.d, “su” will be used as a fallback